oss-sec mailing list archives

[SECURITY] CVE-2023-30575: Apache Guacamole: Incorrect calculation of Guacamole protocol element lengths

From: Michael Jumper <mjumper () apache org>
Date: Tue, 6 Jun 2023 10:12:15 -0700

Severity: moderate
Base CVSS Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected versions:

- Apache Guacamole through 1.5.1

Description:

Apache Guacamole 1.5.1 and older may incorrectly calculate the lengthsof instruction elements sent during the Guacamole protocol handshake,potentially allowing an attacker to inject Guacamole instructions duringthe handshake through specially-crafted data.


Mitigation:

Users of versions of Apache Guacamole 1.5.1 and older should upgrade tothe 1.5.2 release.


Credit:

We would like to thank Stefan Schiller (Sonar) for reporting this issue.

References:

https://guacamole.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-30575

Timeline:

2023-04-11: Reported to security () guacamole apache org
2023-04-11: Report acknowledged by project
2023-04-12: Report confirmed by project
2023-05-09: Fix completed and merged
2023-05-09: Fix tested and confirmed by reporter
2023-05-25: Fix released

Current thread:

[SECURITY] CVE-2023-30575: Apache Guacamole: Incorrect calculation of Guacamole protocol element lengths Michael Jumper (Jun 06)